[ZendTo] Re: AD/LDAP Authentication Help

Craig Chambers craig at craigchambers.net
Thu Mar 17 22:38:34 GMT 2011 

Hi Jules,

Unfortunately, that didn't seem to work. Still getting "Authentication
Error: The username or password was incorrect." I am wondering if it is
something more fundamental that is the problem. It appears that via SSL TLS
does not work because my AD servers certificate isn't trusted even though I
tried to add it to the trusted list. But I am not sure if that matters since
I have SSL set to false. When set to false does it use Kerberos for
authentication or does it just send authentication credentials in the clear?

I also tried setting up users manually using the user management php scripts
but when I try and run:
> ~$ sudo /opt/zendto/bin/listusers.php /opt/zendto/config/preferences.php

I get the following message:
> PHP Notice:  Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line
> 40
> PHP Notice:  Undefined index: SERVER_NAME in /opt/zendto/lib/NSSDropbox.php on
> line 40
> PHP Notice:  Undefined index: REQUEST_URI in /opt/zendto/lib/NSSDropbox.php on
> line 40
 
At this point I have spent about a solid week trying to figure this out and
am about to throw in the towel as this is obviously above my (admittedly
limited) abilities. I would to have this running for our office however so I
am willing, if anyone has any other ideas or can help further I am all ears.
In fact at this point, depending on the cost, I would be willing to pay
someone to help me set this up. I can even set up a new VM with ssh and/or
VNC credentials so that we are sure my mucking about hasn't created more
problems that were there originally.

Let me know,

- Craig


From:  Jules <Jules at zend.to>
Organization:  ZendTo
Reply-To:  ZendTo Users <zendto at zend.to>
Date:  Wed, 09 Mar 2011 13:25:49 +0000
To:  ZendTo Users <zendto at zend.to>
Subject:  [ZendTo] Re: AD/LDAP Authentication Help

    
 
 
 On 08/03/2011 23:34, Craig Chambers wrote:
>  
>  
> Hello,
>  
> 
>  
>  
> I am having issues getting LDAP?AD authentication to work. I have read the
> archives and they all mention using ldapsearch to test your settings but I am
> not sure exactly how the ldapsearch strings match the fields in the
> preferences.php file.
>  
> 
>  
>  
> If I run the following ldapsearch, which seems to be the shortest string that
> will return the expected results, (items in brackets are of course substituted
> with valid information) :
>  
> 
>  
>  
>  
>>  
>> ~$ ldapsearch -w <mypassword> -D LDAP@<domain>.local -H ldap://<server ip> -b
>> "ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local" sAMAccountName
>>  
>  
> 
>  
>  
>  I get a list of the users in the AllowedUsers OU so it looks like I can query
> the LDAP server. However when I try and translate this to the preferences.php
> file I get:
>  
> 
>  
>  
>>  
>> LDAP Error: Unable to connect to any of the LDAP servers; could not
>> authenticate user.
>>  
>> Authentication Error: The username or password was incorrect.
>>  
>  
>  
>  
 The "-D" you are passing in with the "-w" doesn't authenticate correctly.
Why do you need to specify the @<domain>.local, surely just "LDAP" should
work as the rest should be taken by default.
 
>  
>  
>>  
>> 
>>  
>>  
>  
> I currently have both LDAP and AD active in the preference.php file to see if
> I could get either to work which is why I assume I am getting two error
> messages. 
>  
>  
>  
 That will definitely break it. You must only have 1 "authenticator = ....."
line uncommented, otherwise the first one will probably get over-ridden by
the later ones.
 
 Leave all the settings in the LDAP section commented out, for starters.
 
 Try this set for the AD ones:
 
   'authenticator'          => 'AD',
   'authLDAPBaseDN1'        =>
'ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local',
   'authLDAPServers1'       => array('<server ip>'),
   'authLDAPAccountSuffix1' => '',
   'authLDAPUseSSL1'        => false,
   'authLDAPBindUser1'      => 'LDAP@<domain>.local',
   'authLDAPBindPass1'      => '<mypassword>',
   'authLDAPOrganization1'  => '<your organisation name>',
   'authLDAPBaseDN2'        => '',
   'authLDAPServers2'       => array(),
   'authLDAPAccountSuffix2' => '',
   'authLDAPUseSSL2'        => false,
   'authLDAPBindUser2'      => '',
   'authLDAPBindPass2'      => '',
   'authLDAPOrganization2'  => '',
 
 If you want to restrict it to certain "allowed users", then instead of
putting it in the authLDAPBaseDN1, use the settings immediately below it
like this:
 
   // If both of these are set, then only users who are members of the given
   // role/group can log in to ZendTo.
   'authLDAPMemberKey'      => 'memberOf',
   'authLDAPMemberRole'     =>
'cn=AllowedUsers,OU=Users,OU=MyBusiness,dc=<domain>,dc=local',
 
 and hence just add your users to the group "Allowed Users" within the
OU=Users subtree. So let any user authenticate, just only allow the users in
that you want. They should get a more sensible error message then too.
 
Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To <http://www.Zend.To>

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982
 
_______________________________________________ ZendTo mailing list
ZendTo at zend.to http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110317/891b2314/attachment.html

More information about the ZendTo mailing list